As the world got busy battling the effects and impact of the virus, hackers saw this as an opportunity to exploit new vulnerabilities that emerged from a large numbers working from home, writes Ajay Singh, as he explains various cyber risks faced by individuals and groups and suggests ways to tackle them
The Covid-19 pandemic has led to lockdowns across the world and made working from home an inevitable necessity. While this allows businesses to remain operational, it has exposed organisations to several new risks, particularly for those who fail to take the proper precautions. Even as the world got busy battling the effects and impact of the virus, hackers saw this as an opportunity to exploit new vulnerabilities that emerged from a large work force working from home.
Various reports around the world indicate a sharp increase in cybercrime even as Covid-19 has caused major disruptions and forced changes in the way we work. During this crisis, there has been a sudden surge in cybercrime in many countries with cybercriminals preying on new factors and vulnerabilities related to information systems that have come into play.
Scams, phishing websites, maps loaded with malware, and spam messages linked to the Coronavirus have been reported the world over. Dominic Raab, the British Foreign Secretary observed in early May that ‘There will always be some who seek to exploit a crisis for their own criminal and hostile ends. We know that cyber criminals, and other malicious groups are targeting individuals, businesses, and other organisations by deploying Covid-19 related scams and phishing emails.’ Since then cyber threats and attacks have only increased.
The lockdowns have not only made us work from home, but also shop-from-home, study-from-home, bank-from-home, attend meetings from home and so on. Studies have also shown a dramatic increase in the amount of time people are spending on-line. Fortunately, technologies like video conferencing, BYOD (Bring Your Own Device), VPN (Virtual Private Network), and collaborative platforms exist today that enable working from home. However, the exposure to cyber risk has grown exponentially and rather suddenly and existing security standards have been compromised. Cybercriminals have been quick to discover that employees working from home have weaker cybersecurity than when they operate from their offices. They have exploited new weaknesses in the various technologies used and have incessantly launched attacks.
Given that we are spending (and will continue to spend) a major part of our lives on-line, a comprehensive assessment of the cyber risks that we are exposed to as individuals, families, and businesses, is key to survive and thrive.
A large number of organisations have already announced that some office-based employees will be working from home in some form for the foreseeable future and perhaps even permanently. This shift to a work from home environment which initially was considered as a temporary solution may become a regular practice. This necessitates a complete rethink on cyber risks and involves moving away from traditional cybersecurity approaches. Any policies and protocols related to cybersecurity which were introduced when companies switched to work-from-home may have served them in the short-term, but when it comes to long-term measures, a thorough re-evaluation needs to be conducted. With the easing of lockdown restrictions, when employees will no longer be confined to working from home, the larger questions of dealing with cyber risks of working-from-anywhere will become more relevant. The top of the cybersecurity agenda for individuals, businesses, and governments in the aftermath of coronavirus should therefore be to mitigate cyber risks and build a safer and more resilient cyber environment.
Individuals and cyber risks
We have all been a target of cyber-attacks in some form or the other, for instance phishing attacks, phone calls or SMSs from cybercriminals, among others. They are after your personal data, passwords, social ids, bank information and social contacts… basically anything that can either fetch them a price for your data or can help them launch bigger attacks. Escaping a cyber-attack means that you have been vigilant, prepared or simply lucky enough to avoid one.
There are fortunately many things we can do as individuals to make our online existence safer while working from home or for that matter working from anywhere. Before looking at what we can do, consider the findings of the latest Norton Cyber Security Insights Report which suggests that:
- 30% of people cannot detect a phishing attack and another 13 percent cannot tell the difference between a real message and a phishing email. This implies that four in 10 are vulnerable.
- Eighty-six percent of people said they may have been a target of a phishing incident.
- 70% of consumers wish that their home Wi-Fi network could be made more secure. However, a mere 27% consider it likely that their home Wi-Fi network could be susceptible to attack.
This goes to show that cyber threats are greatly enhanced by the fact people are largely unaware of the cyber risks that they have to contend with and the counter measures they must adopt to mitigate the risks. Some of the basic things that contribute to maintain better cyber hygiene while working from home are:
- Instead of using personal devices, company-provided computers and laptops should be used
- A VPN software can be utilised to connect the organisation network
- Using different devices for work and leisure
- Stopping remote access unless it is a necessity
- Default passwords should be changed
- Devices and online accounts should have strong passwords. For both personal and business accounts multi-factor authentication wherever available, should be utilised
- Meeting links should strictly not be shared publicly or through social media platforms
- Trusted apps or those recommended by one’s employer should be used for work involving collaboration
- Regularly updating operating systems, antiviruses and other applications on computers and other devices
- Home Wi-Fi and admin passwords should be changed regularly, while avoiding open/free Wi-Fi networks
- Cyber-hygiene guidelines as laid out by one’s employer should be strictly followed
Organisations and cyber risks
Today, almost all businesses regardless of the industry they are in and their size are vulnerable to cyber-attacks which can happen at any time, without warning. This is true across sectors and geographies. The pandemic has only accelerated the need to implement comprehensive cybersecurity programs after a thorough assessment of existing, new, and emerging cyber risks. The concept of a cyber ‘perimeter’ which was once confined to the walls of an organisation or a data centre has completely eroded. Security professionals have been forced to abandon the traditional castle-and-moat strategy used so effectively in the past due to the arrival of cloud computing and the use of portable devices by organisations coupled with the integration of personal devices into organisational systems. The cyber perimeter has interminably moved from the walls of the enterprise to what is today a flexible and extended virtual perimeter. This calls for a reassessment of cyber risks and requirements across the following four dimensions:
- Technology dimension: securing IT systems, applications, networks, data, and devices
- People: employees and others who are users and have access an organisation’s system
- Policies, Procedures and Processes that are used to run business operations
- Laws, regulations, and compliance
In the near future as the pandemic continues, there are a few types of cyber-threats companies must specifically be prepared for and safeguard against:
Ransomware: Ransomware is a type of malware that is used to deny access to a computer system or data by encrypting the information and keeping it hostage until the ransom is paid. There has been an alarming rise in Ransomware attacks in recent months. The deployment methods include socially engineered emails packed with malware, or a weblink that triggers a drive-by download. Some of the ways to protect your systems from Ransomware attacks include changing default passwords at all access points, training employees in identifying suspicious email links, keeping air-gapped up-to-date data back-ups, prohibiting the use of USB drives, and updating all operating systems and software in time.
Phishing: This is a type of social engineering attack where hackers attempt to steal login credentials such as passwords or deceive people in multiple ways into installing malware. Employee training to recognise phishing emails and the use of multi-factor authentication can help to prevent or mitigate damage from a cyber-attack which may result from a phishing exploit.
Business email compromise: During this pandemic, a large number of cases of business email compromise instances have been reported. Here, cybercriminals spoof emails (usually making them look like they are from legitimate sources) to redirect a payment intended for one of the company’s suppliers to their own bank accounts. In a work from home scenario, where employees are not in front of each other to seek clarifications, these kinds of cyber-attacks are on the rise. Preventing such attacks calls for a high degree of vigilance and situational awareness among employees (especially those processing payments). Employees must be advised to be careful and alert to such attempts and double check before they initiate action. Organisations must also implement additional controls to prevent any mistakes in this regard.
Bring Your Own Device (BYOD): The use of personal devices like phones, laptops and tablets for office work has become common nowadays. As employees switched to working from home, there are many who also started to use their home devices for day to day work. While companies may have policies for onboarding these devices into the corporate network, there is often laxity and carelessness in observing the protocols. More so, during the pandemic. The absence of specific organisational cybersecurity protocols makes them a cyber risk. If any of these devices are compromised, they can provide hackers with an opening into a corporate’s network and data which can be accessed and exploited. If employees continue to work from home and rely on personal devices for the foreseeable future, then a more robust protocol must be established which mandates the installation and updating of security software on personal devices that are used for office work.
Focussing on the softer aspects of cybersecurity: Thus far, discussions around cyber security have largely focused on IT infrastructure, and the risks that software and hardware can pose to businesses. However, the pervasiveness of cyber threats like Ransomware, stealing of passwords, social engineering attacks like phishing and Business Email, Compromise among others are forcing businesses to consider the softer and less tangible aspects of cyber security such as awareness, training and a security first culture. A heightened level of situational awareness in the context of responsible online behaviour, maintaining basic cybersecurity standards and training is also necessary to ensure both new and existing employees are well versed in cyber risks.
Government and cyber risks
Governments around the world have taken note of the alarming rise in cybercrime in recent months which coincide with the spread of the pandemic. Indian citizens, commercial and legal entities faced nearly seven lakh cyber-attacks till August in the current year according to Government data. Recognising the rapidly increasing cyber risks, the Government of India issued guidelines for Chief Information Security Officers (CISOs) relating to their key roles and responsibilities for securing applications/infrastructure and compliance. All Ministries/ Departments of the Central Government, State Governments (and their organisations) and all critical sectors are implementing a ‘Cyber Crisis Management Plan for countering cyber-attacks and cyber terrorism’. Mumbai suffered a major power outage on October 12 which lasted several hours. Today, authorities are investigating whether this was a cyber-attack.
Cyber risk is real, and it is potent. For all digital citizens and entities, it is a reality that will outlast the pandemic. The specific cybersecurity security challenges across industry sectors, governmental systems, public utilities are wide ranging. As cybersecurity experts say, you are never done as far as cybersecurity is concerned. Cyber risks and threats keep evolving and so should cybersecurity measures and systems. This is one game you have to keep winning to survive and thrive in the digital world.
The writer is a Corporate Advisor and mentor. He has recently authored a book titled CyberStrong: A Primer on Cyber Risk Management for Business Managers, published by SAGE Publications India